Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-30960 — Authorization: Missing Authorization vulnerability in fs-code FS Poster fs-poster.This issue affects FS Poster: from n/a
Missing Authorization vulnerability in fs-code FS Poster fs-poster.This issue affects FS Poster: from n/a through <= 6.5.8. CVSSv3.1 8.3 (HIGH)
CVE-2025-30967 — Site: Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard wpjobboard allows Upload a Web Shell
Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard wpjobboard allows Upload a Web Shell to a Web Server.This issue affects WPJobBoard: from n/a through < 5.11.1. CVSSv3.1 9.6 (CRITICAL)
CVE-2025-26927 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes AI Hub aihub allows
Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes AI Hub aihub allows Upload a Web Shell to a Web Server.This issue affects AI Hub: from n/a through <= 1.3.7. CVSSv3.1 10.0 (CRITICAL)
CVE-2025-26748 — Site: Cross-Site Request Forgery (CSRF) vulnerability in looswebstudio Arkhe arkhe allows PHP Local File Inclusion.This
Cross-Site Request Forgery (CSRF) vulnerability in looswebstudio Arkhe arkhe allows PHP Local File Inclusion.This issue affects Arkhe: from n/a through <= 3.12.0. CVSSv3.1 8.1 (HIGH)
CVE-2025-32911 — A use-after-free type vulnerability was found in libsoup, in the soup_message_headers_get_content_disposition() function.
A use-after-free type vulnerability was found in libsoup, in the soup_message_headers_get_content_disposition() function. This flaw allows a malicious HTTP client to cause memory corruption in the libsoup server. CVSSv3.1 9.0 (CRITICAL) · EPSS 52th percentile
CVE-2025-30985 — Deserialization: of Untrusted Data vulnerability in kagla GNUCommerce gnucommerce allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in kagla GNUCommerce gnucommerce allows Object Injection.This issue affects GNUCommerce: from n/a through <= 1.5.4. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-26959 — Authorization: Missing Authorization vulnerability in Quý Lê 91 Administrator Z administrator-z allows Privilege Escalation.This issue
Missing Authorization vulnerability in Quý Lê 91 Administrator Z administrator-z allows Privilege Escalation.This issue affects Administrator Z: from n/a through <= 2025.03.24. CVSSv3.1 8.8 (HIGH)
CVE-2025-26741 — Authorization: Missing Authorization vulnerability in AWEOS GmbH Email Notifications for Updates wp-update-mail-notification allows Privilege Escalation.This
Missing Authorization vulnerability in AWEOS GmbH Email Notifications for Updates wp-update-mail-notification allows Privilege Escalation.This issue affects Email Notifications for Updates: from n/a through <= 1.1.6. CVSSv3.1 8.8 (HIGH)
CVE-2025-1782 — HylaFAX: In HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly
In HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly sanitized before being used and can be misused to include an arbitrary file in the PHP code allowing an attacker to do anything as the web server user. This flaw requires the attacker to be authenticated with a valid user account. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-32681 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Guru Error Log Viewer error-log-viewer-wp allows Blind SQL Injection.This issue affects Error Log Viewer: from n/a through <= 1.0.5. CVSSv3.1 8.5 (HIGH)
CVE-2025-32672 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Ultimate Bootstrap Elements for Elementor ultimate-bootstrap-elements-for-elementor allows PHP Local File Inclusion.This issue affects Ultimate Bootstrap Elements for Elementor: from n/a through <= 1.4.9. CVSSv3.1 8.1 (HIGH)
CVE-2025-32663 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Cooming Soon fat-coming-soon allows PHP Local File Inclusion.This issue affects FAT Cooming Soon: from n/a through <= 1.1. CVSSv3.1 8.1 (HIGH)
CVE-2025-32656 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Testimonial Slider And Showcase Pro testimonial-slider-showcase-pro allows PHP Local File Inclusion.This issue affects Testimonial Slider And Showcase Pro: from n/a through <= 2.3.15. CVSSv3.1 8.1 (HIGH)
CVE-2025-32654 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix Motors motors-car-dealership-classified-listings allows PHP Local File Inclusion.This issue affects Motors: from n/a through <= 1.4.71. CVSSv3.1 8.1 (HIGH)
CVE-2025-32650 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ability, Inc Accessibility Suite online-accessibility allows SQL Injection.This issue affects Accessibility Suite: from n/a through <= 4.18. CVSSv3.1 8.5 (HIGH)
CVE-2025-32633 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in neoslab
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in neoslab Database Toolset database-toolset allows Path Traversal.This issue affects Database Toolset: from n/a through <= 1.8.4. CVSSv3.1 8.6 (HIGH)
CVE-2025-32631 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in oxygensuite
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in oxygensuite Oxygen MyData for WooCommerce oxygen-mydata allows Path Traversal.This issue affects Oxygen MyData for WooCommerce: from n/a through <= 1.0.64. CVSSv3.1 8.6 (HIGH)
CVE-2025-32629 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CMSJunkie
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Path Traversal.This issue affects WP-BusinessDirectory: from n/a through <= 3.1.2. CVSSv3.1 8.6 (HIGH)
CVE-2025-32627 — Joomsky Js_job_manager: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager js-jobs allows PHP Local File Inclusion.This issue affects JS Job Manager: from n/a through <= 2.0.2. CVSSv3.1 8.1 (HIGH)
CVE-2025-32618 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PickPlugins Wishlist wishlist allows SQL Injection.This issue affects Wishlist: from n/a through <= 1.0.46. CVSSv3.1 8.5 (HIGH)
CVE-2025-32614 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON eventon-lite allows PHP Local File Inclusion.This issue affects EventON: from n/a through <= 2.4. CVSSv3.1 8.8 (HIGH)
CVE-2025-32607 — Deserialization: of Untrusted Data vulnerability in magepeopleteam WpBookingly service-booking-manager allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in magepeopleteam WpBookingly service-booking-manager allows Object Injection.This issue affects WpBookingly: from n/a through <= 1.3.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-32603 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HK WP Online Users Stats wp-online-users-stats allows Blind SQL Injection.This issue affects WP Online Users Stats: from n/a through <= 1.0.0. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-32589 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in odude Flexi – Guest Submit flexi allows PHP Local File Inclusion.This issue affects Flexi – Guest Submit: from n/a through <= 4.28. CVSSv3.1 8.1 (HIGH)
CVE-2025-32587 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in pickupp
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in pickupp WooCommerce Pickupp wc-pickupp allows PHP Local File Inclusion.This issue affects WooCommerce Pickupp: from n/a through <= 2.4.3. CVSSv3.1 8.1 (HIGH)